It's not exactly news that bad actors are targeting and successfully attacking the healthcare landscape with ransomware, crypto-attacks and other malicious means to disrupt patient care in the name of crime. Some criminals attack small clinics and business associates, as they tend to not have the same resources to protect ePHI as larger organizations do. Other criminals (must?) enjoy the challenge to take down or impact a name-brand hospital or healthcare network. Whether a single provider or part of a large healthcare setting, a HIPAA required Emergency Mode Operations Plan (EMOP) is one key to protecting lives and continuing to provide care.
Described in § 164.308(a)(7)(ii)(C), the EMOP is a document that helps the "...continuation of critical business processes for protection of the security of electronic protected health information while operation in emergency mode..." The most common instance of an "emergency mode" seems to be the loss of the electronic health record (EHR) system, but the EMOP should be developed to handle other mainstream emergencies including natural disaster (e.g. fire, flood, loss of power, etc.). Simply put, an EMOP allows business to continue, or defines what can and cannot be accomplished.
We encourage clinical staffs to create "downtime packets" to the point that they serve the purpose of continuing patient care during an emergency. Take a moment to think about the relationship and connectivity of our EHR systems; they are typically communicating with radiology systems, patient portals, secondary systems (e.g. OB/GYN, etc.), healthcare clearinghouses, and more. So an attack on the information services enterprise, no matter how small in size, affects more than just the initial system.
Just this month, Scripps Health reportedly suffered an attack and continued to run as best they can because their EMOP was in place and effective. We wish them well as they recover their systems and hope that our readers develop their processes - never needing to use them.
Stay (HIPAA) safe,